##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ManualRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Internal Aggressive Test Exploit',
        'Description' => "This module tests the exploitation of a test service.",
        'Author' => 'skape',
        'License' => MSF_LICENSE,
        'Arch' => 'x86',
        'Payload' => {
          'Space' => 1000,
          'MaxNops' => 0,
          'BadChars' => "\x00",
          'StackAdjustment' => -3500,
        },
        'Targets' => [
          # Target 0: Universal
          [
            'Any Platform',
            {
              'Platform' => [ 'linux', 'win' ]
            }
          ],
          [
            'Test encoder specific',
            {
              'Platform' => [ 'linux', 'win' ],
              'Payload' =>
                {
                  'EncoderType' => Msf::Encoder::Type::AlphanumUpper,
                  'EncoderOptions' =>
                    {
                      'BufferRegister' => 'EBX',
                      'BufferOffset' => 4
                    }
                }
            },
          ],
          [
            'Cannot be encoded',
            {
              'Platform' => [ 'linux', 'win' ],
              'Payload' =>
                {
                  'BadChars' => (0..255).to_a.map { |x| x.chr }.to_s
                }
            }
          ],
          [
            'Test context encoder',
            {
              'Platform' => [ 'linux', 'win' ],
              'Payload' =>
                {
                  'BadChars' => "\x00"
                }
            }
          ]
        ],
        'DefaultTarget' => 0
      )
    )

    register_options(
      [
        OptBool.new('WaitForInput', [ false, "Wait for user input before returning from exploit", false ]),
        OptInt.new('TestInteger', [ false, "Testing an integer value", nil ])
      ]
    )
  end

  def autofilter
    false
  end

  def check
    return Exploit::CheckCode::Vulnerable
  end

  def exploit
    # Show disassembled payload for context encoder test
    if target.name =~ /context encoder/
      puts Rex::Assembly::Nasm.disassemble(payload.encoded[0, 40])
    end

    connect

    print_status("Sending #{payload.encoded.length} byte payload...[#{datastore['TestInteger']}]")

    sock.put(payload.encoded)

    if (datastore['WaitForInput'])
      puts "Type something..."
      gets
    end

    handler
  end

end
